← Email
F

Microsoft Outlook

Fail
Microsoft · 🇺🇸 United States
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: com.microsoft.office.outlook
Manufacturer: Microsoft

⚠️ The bottom line

When you add your Gmail or Yahoo account to the new Outlook, Microsoft sends your email password to their servers. Not a hash — the actual password. Verified by security researchers. Microsoft designed it this way on purpose. Russian military hackers used an Outlook vulnerability to steal credentials — just receiving an email was enough, you didn't even have to open it. Another bug meant just looking at your inbox in preview mode could give attackers full control of your computer.

Legal jurisdiction
🇺🇸 United States (headquarters)
CLOUD Act read more →
US govt can demand your data from this company even if stored overseas
FISA §702 / PRISM read more →
NSA collects stored emails, photos, messages without individual warrants
Geofence warrants read more →
Police can demand location data for everyone near a crime scene
Spying
0/4 N/A
Is someone spying on me?
Data Sharing
2/4 MODERATE
Who gets my data?
Security
4/4 EXTREME
Is it actually secure?
Honesty
2/4 MODERATE
Can I trust what they say?
REPLACE Extreme risk. Look for alternatives or lock down hard.
Use Tuta Mail instead
Encrypts subject lines, fights 75% of government requests
See report →
5Contradictions
3Critical
2High
0Medium
5Sources
Findings by concern
Data Sharing 2/4 MODERATE 1 finding
⚠️ criticalfirmware analysis vs regulatory findings
Microsoft's AI was caught reading confidential emails for weeks. They share your data with 801 advertising partners. Nearly a third of government demands for your email come with gag orders — Microsoft is legally forbidden from telling you they gave it away.

What they claim: Microsoft positions Outlook as a professional email solution for work and personal use

What we found: Copilot AI integration reads email content across all Outlook accounts. In January-February 2026, Copilot was caught reading confidential emails for weeks before the issue was identified. Microsoft shares data with 801 advertising partners. Free Outlook shows ads that cannot be fully disabled. 31% of US government demands come with secrecy orders — Microsoft can't tell you they handed over your email.

Security 4/4 EXTREME 4 findings
⚠️ criticalfirmware analysis vs app permissions
When you add your Gmail or Yahoo account to the new Outlook, Microsoft sends your email password to their servers. Not a hash — the actual password. Verified by security researchers. Microsoft designed it this way on purpose.

What they claim: Microsoft's new Outlook app is presented as an upgrade to Windows Mail

What we found: The new Outlook sends your IMAP and SMTP credentials — including passwords — for third-party email accounts (Gmail, Yahoo, iCloud) to Microsoft's Azure servers. Verified by c't/heise via traffic analysis in November 2023. When you add your Gmail account to Outlook, Microsoft gets your Gmail password. This is not a bug — it's the architecture.

⚠️ criticalpolicy claims vs firmware analysis
Russian military hackers used an Outlook vulnerability to steal credentials — just receiving an email was enough, you didn't even have to open it. Another bug meant just looking at your inbox in preview mode could give attackers full control of your computer.

What they claim: Outlook is marketed as a secure, trusted email client from Microsoft

What we found: CVE-2023-23397 (CVSS 9.8): Russian military intelligence (APT28) exploited Outlook to steal NTLM credentials via a specially crafted email — no user interaction required, just receiving the email was enough. CVE-2025-21298 (CVSS 9.8): zero-click RCE via the preview pane. Opening Outlook and looking at your inbox was enough to be compromised.

⚡ highpolicy claims vs firmware analysis
Microsoft killed Windows Mail and forced everyone onto new Outlook. If you had Gmail in Windows Mail running locally, your Gmail password is now on Microsoft's cloud servers. Nobody asked your permission.

What they claim: Microsoft forced Windows Mail users to migrate to the new Outlook in December 2024

What we found: Users had no choice — Windows Mail was discontinued and replaced by new Outlook. The migration sent existing email configurations, including third-party account credentials, to Microsoft's cloud. Users who had been using a local-only email client were silently moved to a cloud-dependent one that sends their passwords to Azure.

⚡ highpolicy claims vs regulatory findings
Microsoft has been giving the NSA access to your email since 2007 — the first company to join PRISM. Even Germany's data protection authority complained about Outlook sending passwords to Microsoft's servers. Microsoft didn't change anything.

What they claim: Microsoft claims enterprise-grade security for Outlook

What we found: Microsoft was the first PRISM participant in September 2007. In H1 2025, Microsoft received 6,288 US legal demands for consumer data. 1,974 of these came with secrecy orders — the user was never told. The German Federal Data Protection Commissioner responded to the credential forwarding issue but Microsoft did not change the architecture.

What happened to real people
Documented incidents involving Microsoft products and user data.
First PRISM participant (2007). 31% of US legal demands come with secrecy orders — 1,974 gag orders in H1 2025 alone. Users never told their data was demanded. [source]
Storm-0558: Chinese hackers used a stolen Microsoft signing key to access US government officials' email accounts. Microsoft's own infrastructure was the attack vector. [source]
What your data is worth to governments
Microsoft complied with 6,288 government data requests in H1 2025. That's 31% of demands include secrecy orders. Microsoft has been a confirmed PRISM participant since 2007. Under this programme, the NSA collects stored communications. The company is legally prohibited from telling you. Jurisdiction: US (CLOUD Act, FISA Section 702, Patriot Act).
Documented: First PRISM participant (2007). 31% of US legal demands come with secrecy orders — 1,974 gag orders in H1 2025 alone. Users never told their data was demanded.
Documented: Storm-0558: Chinese hackers used a stolen Microsoft signing key to access US government officials' email accounts. Microsoft's own infrastructure was the attack vector.
What is PRISM? · What is the CLOUD Act? · Transparency report
Sources